Lofty Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Use governing Lofty Customers’ use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of our Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Lofty (“We”, “Our”, “Data Processor”) under the Agreement. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in in the definitions section of this DPA.

GENERAL TERMS.

The parties agree that this DPA shall prevail over any pre-existing DPA or other contractual provisions pertaining to the subject matter contained herein that the parties may previously have entered into in connection with Services.
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail.
Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Agreement.

ROLES OF PARTIES; CUSTOMER OBLIGATIONS

The Parties acknowledge and agree that for purposes of this DPA, Lofty is a Processor of Customer Personal Data, and that Customer is a Controller.
Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its Processing of Customer Personal Data and any Processing instructions it issues to Lofty; and (ii) it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Lofty to Process Customer Personal Data and provide the Services as described in the Agreement. Customer shall promptly notify Lofty and cease Processing Customer Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates; and (ⅲ) Lofty shall have no liability arising from the processing of data in accordance with Customer’s instructions. Customer agrees to hold Lofty harmless and indemnify Lofty for any damages suffered due to the processing of data in accordance with Customer’s instructions.

1. Data Processing.

1.1
Scope and Roles. This DPA applies when Customer Data is processed by Lofty. In this context, we will act as processor to Customer, who can act either as controller or processor of Customer Data.
1.2

Customer Controls. Customer can submit requests through the Data Subject Access Rights (DSAR) Portal noted in our Privacy Policy. This can be used to submit requests related to the Customer’s obligations under the GDPR, including its obligations to respond to requests from data subjects. Considering Lofty becomes aware that Customer Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will cooperate with Customer to erase or rectify inaccurate or outdated Customer Data transferred under the Standard Contractual Clauses by fulfilling requests submitted through our DSAR portal.
1.3 Details of Data Processing.
- 1.3.1
  Subject matter. The subject matter of the data processing under this DPA is Customer Data.
- 1.3.2
  Duration. As between Lofty and Customer, the duration of the data processing under this DPA is determined by Customer.
- 1.3.3
  Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by Customer from time to time.
- 1.3.4
  
  Nature of the processing. Software as a Service (SaaS) and such other Services as described in the Terms of Use and initiated by Customer from time to time.
- 1.3.5
  Type of Customer Data. Customer Data provided by and or uploaded to the Customer’s SaaS tenant.
- 1.3.6
  Categories of data subjects. The data subjects could include Customer’s customers, employees, suppliers, and End Users.
1.4
Compliance with Laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA, including, but not limited to, the GDPR.

Customer Instructions. The parties agree that this DPA and the Agreement (including instructions provided by Customer) constitute Customer’s documented instructions regarding Lofty’s processing of Customer Data (“Documented Instructions”). Lofty will process Customer Data only in accordance with Documented Instructions (which if Customer is acting as a processor, could be based on the instructions of its controllers). Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Lofty and Customer, including agreement on any additional fees payable by Customer to Lofty for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Lofty declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this DPA. Considering the nature of the processing, Customer agrees that it is unlikely Lofty can form an opinion on whether Documented Instructions conflict with the GDPR. If Lofty forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
Confidentiality of Customer Data. Lofty will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Lofty a demand for Customer Data, Lofty will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Lofty may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then Lofty will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Lofty is legally prohibited from doing so.
- 3.1
  Subject matter. The subject matter of the data processing under this DPA is Customer Data.
- 3.2
  Customer acknowledges that Lofty may change the security measures through the adoption of new or enhanced security technologies and authorizes Lofty to make such changes provided that they do not diminish the existing level of protection. Lofty shall make information about the most up to date security measures applicable to the Services available to Customer upon request.
Confidentiality Obligations of Lofty Inc. Personnel. Lofty restricts its personnel from processing Customer Data without authorization by Lofty. Lofty imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
Assistance with Data Subject Requests.To the extent Customer does not have the ability to independently correct, amend, or delete Customer Personal Data, or block or restrict Processing of Customer Personal Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Lofty shall comply with any legitimate and commercially reasonable request by Customer to facilitate such actions. Considering the nature of the processing, the Service Controls are the technical and organizational measures, Lofty will assist Customer in fulfilling Customer’s obligations to respond to data subjects’ requests under the GDPR. If a data subject makes a request to Lofty, Lofty will promptly forward such request to Customer once Lofty has identified that the request is from a data subject for whom Customer is responsible. Customer authorizes on its behalf, and on behalf of its controllers when Customer is acting as a processor, Lofty to respond to any data subject who makes a request to Lofty, to confirm that Lofty has forwarded the request to Customer.
Security Incident Notification.
- 6.1
  Security Incident. Lofty will (a) notify Customer of a Security Incident without unreasonable delay after becoming aware of the Security Incident, and (b) take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
- 6.2
  Lofty Assistance. To enable Customer to notify of a Security Incident, Lofty will cooperate with and assist Customer by including in the notification under this Section such information about the Security Incident as Lofty is able to disclose to Customer, taking into account the nature of the processing, the information available to Lofty, and any restrictions on disclosing the information, such as confidentiality. Considering the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
- 6.3
  Unsuccessful Security Incidents. Customer agrees that:
  - 6.3.1. an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Lofty’s equipment or facilities storing Customer Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
  - 6.3.2. Lofty’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Lofty of any fault or liability Lofty with respect to the Security Incident.
- 6.4
  Communication. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Lofty selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information at all times.
Audits and Inspections.
- 7.1
  Internal Audits. Upon written request, Lofty shall provide, at its own expense, if available, any data security compliance reports or audit reports that assess the effectiveness of Lofty's information security program, system(s), internal controls, and procedures relating to the Processing of Customer Personal Data.
- 7.2
  Customer Audits. Upon written request, Lofty agrees to respond, no more than once per year, to a reasonable information security questionnaire concerning security practices specific to the Services provided hereunder. Upon reasonable advance written notice in no case fewer than thirty (30) business days and Lofty acceptance, Customer may, not more than once per year, during normal business hours and at its own expense, inspect Lofty facilities, networks and procedures directly related to the processing of Customer Personal Data in order to determine compliance with this Agreement. Lofty shall reasonably cooperate with such audit by providing access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Customer Personal Data. Customer shall be responsible for the costs and expenses of such an audit. Customer acknowledges that certain information about Lofty's security standards and practices are sensitive confidential information which will not be disclosed by Lofty to Customer.
- 7.3
  Privacy Impact Assessment and Prior Consultation. Taking into account the nature of the processing and the information available to Lofty, Lofty will reasonably assist Customer at Customer’s cost and expense in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation.
International Transfers
- 8.1
  Lofty may Process Customer Personal Data in the United States and anywhere else in the world where Lofty or its Sub-processors maintain data Processing operations. Lofty shall at all times provide an adequate level of protection for Customer Personal Data, in accordance with the requirements of Data Protection Laws.
- 8.2
  
  To the extent performance of the Services requires the transfer of Customer Personal Data from within the European Union, the European Economic Area and their member states, Switzerland, or the United Kingdom to a country not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR), the Standard Contractual Clauses will apply to the transfer and are incorporated by reference herein.
Termination of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”).
Return or Deletion of Customer Data. At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Agreement, Lofty will return or delete Customer Data when Customer uses the Service Controls to request such return or deletion.
Sub-processing.
- 11.1
  Authorized Sub-processors. Customer provides general authorization to Lofty's use of sub-processors to provide processing activities on Customer Data on behalf of Customer (“Sub-processors”) in accordance with this Section. The Lofty lists of Sub-processors that are currently engaged by Lofty listed within Annex 1 of this agreement. At least 30 days before Lofty engages a Sub-processor, Lofty will update Annex 1 and provide Customer with a mechanism to obtain notice of that update. To object to a Sub-processor, Customer can: (i) terminate the Agreement pursuant to its terms; or (ii) cease using the Service for which Lofty has engaged the Sub-processor.
- 11.2Sub-processor Obligations. Where Lofty authorizes a Sub-processor:
  - 11.2.1
    Lofty will restrict the Sub-processor’s access to Customer Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Lofty will prohibit the Sub-processor from accessing Customer Data for any other purpose.
  - 11.2.2
    Lofty will enter into a written agreement with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Lofty under this DPA, Lofty will impose on the Sub-processor the same contractual obligations that Lofty has under this DPA; and
  - 11.2.3
    Lofty will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Lofty to breach any of Lofty's obligations under this DPA.
Requests, Demands, And Inquiries from Governmental or Regulatory Bodies.
- 12.1
  Unless prohibited to do so by applicable law, Lofty shall inform Customer as soon as possible if it receives a request or demand from a governmental or regulatory body with authority over Lofty or Customer relating to Lofty's Processing of Customer Personal Data. Lofty may attempt to redirect the government or regulatory body to request that data directly from Customer. As part of this effort, Lofty may provide Customer’s basic contact information to the government or regulatory body. If compelled to disclose Customer Personal Data to a government or regulatory authority, then Lofty shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Lofty is legally prohibited from doing so.
- 12.2
  Lofty shall provide commercially reasonable cooperation to assist Customer in its response to any requests from a Supervisory Authority relating to the Processing of Customer Personal Data under the Agreement and this DPA.
- 12.3
  Authority in the performance of its tasks relating to this Section, to the extent required under any Data Protection Laws.
MISCELLANEOUS.
- 13.1
  Termination and Survival. This Agreement and all provisions herein shall survive so long as, and to the extent that, Lofty Processes or retains Customer Personal Data.
- 13.2
  Counterparts. This Agreement may be executed in any number of counterparts and any Party (including any duly authorized representative of a Party) may enter into this Agreement by executing a counterpart.
- 13.3
  Ineffective clause. If individual provisions of this Agreement are or become ineffective, the effectiveness of the remaining provisions shall not be affected. The Parties shall replace the ineffective clause with a legally allowed clause, which will accomplish the intended commercial intention as closely as possible.

Annex 1 - List of Sub-processors

As of the date of this agreement, Lofty engages the following sub-processors that may process Personal Data:

Sub-processor (Entity Name)	Service Provider's Location	Provided Service
Amazon Web Services (AWS)	USA	Infrastructure as a Service and Platform as a Service
Google Cloud Platform (GCP)	USA	Natural Language Understanding
OpenAI	USA	Generative AI
Vonage	USA	Cloud Communication Service Provider
Bandwidth	USA	Communication Platform for Messaging Service
Lob	USA	Automated direct mail and postal service provider
Zendesk	USA	Customer Support
MailParser	USA	Mail Parsing Service
National Processing	USA	Payment Gateway
HubSpot	USA	Marketing and Analytics
Atlassian - Jira	USA	Ticketing System
Office 365	USA	Business Communication and Collaboration
Twilio	USA	Cloud Communication Service Provider
Monday.com	USA	Project Management
Thinkific	USA	Online Training
Productboard	USA	Product Tracking and feedback collection
Home Junction / Attom Data	USA	Listing Data Analysis

Annex 2 - Information Security Measures

Security Program. Lofty has developed, implemented, and will consistently update and maintain as needed: (i) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (ii) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft. Lofty will maintain appropriate measures to protect the integrity, security and confidentiality of all Customer Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include the following:

In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Customer Personal Data;
the encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;
measures to identify vulnerabilities regarding the processing of Personal Data in systems used to provide services to the Customer;

Access. Lofty shall reasonably update all access rights based on personnel or computer system changes and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Customer Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the Agreement. Access controls include:

Changes. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Lofty will therefore evaluate the measures on a periodic basis and will take reasonable measures to maintain compliance with the requirements. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.

Where an amendment to the Service Agreement is necessary in order to execute a Customer instruction to Lofty to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the underlying agreement in good faith.

Physical Security Measures. Lofty shall maintain appropriate physical security measures for any facility used to Process Customer Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.

Lofty maintains physical security standards designed to prohibit unauthorized physical access to Lofty facilities and equipment by using the following practices:

physical access to locations is limited to Lofty employees, subcontractors, and authorized visitors;
Lofty employees, subcontractors, and authorized visitors are issued identification cards that must be worn while on premises;
monitoring access to Lofty facilities, including restricted areas and equipment within facilities;
access to the data center where Customer Personal Data is hosted is logged, monitored, and tracked; and
data centers are secured with alarm systems and video cameras.

Technical Security Measures. Lofty shall:

Perform vulnerability scanning on key applications and infrastructure.
Identify computer systems and applications that warrant security event monitoring.
Encrypt Personal Data in transit, and where needed, at rest.
Deploy necessary system security patches to all software and systems that process or store Personal Data.
Use up-to-date commercial virus/malware scanning software that identifies malicious code on all of its systems that collect, use, disclose, store, retain or otherwise Process Personal Data.
Use an up-to-date multi-factor authentication solution to ensure that only authorized personnel have access to Customer Personal Data.
Computers and servers have reasonable up-to-date versions of system security software which may include host firewall, anti-virus protection, and up-to-date patches and virus definitions.
Lofty maintains logs of various components of the infrastructure and an intrusion detection system.